Security News > 2024 > January > Microsoft reveals how hackers breached its Exchange Online accounts

On January 12, 2024, Microsoft discovered that Russian hackers breached its systems in November 2023 and stole email from their leadership, cybersecurity, and legal teams.
Microsoft now explains that the threat actors used residential proxies and "Password spraying" brute-force attacks to target a small number of accounts, with one of these accounts being a "Legacy, non-production test tenant account."
When Microsoft first disclosed the breach, many wondered whether MFA was enabled on this test account and how a test legacy account would have enough privileges to spread laterally to other accounts in the organization.
"Using the information gained from Microsoft's investigation into Midnight Blizzard, Microsoft Threat Intelligence has identified that the same actor has been targeting other organizations and, as part of our usual notification processes, we have begun notifying these targeted organizations," warns Microsoft in the new update.
In September 2023, it was also revealed that the Chinese Storm-0558 hacking group stole 60,000 emails from U.S. State Department accounts after breaching Microsoft's cloud-based Exchange email servers earlier that year.
Finally, Microsoft advises using targeted hunting queries in Microsoft Defender XDR and Microsoft Sentinel to identify and investigate suspicious activities.
News URL
Related news
- Microsoft Exchange Online outage affects Outlook web users (source)
- Microsoft: Exchange Online bug mistakenly quarantines user emails (source)
- Microsoft: North Korean hackers join Qilin ransomware gang (source)
- Week-long Exchange Online outage causes email failures, delays (source)
- Microsoft Credits EncryptHub, Hacker Behind 618+ Breaches, for Disclosing Windows Flaws (source)
- Microsoft investigates global Exchange Admin Center outage (source)
- Microsoft: Exchange 2016 and 2019 reach end of support in six months (source)
- Russian Hackers Exploit Microsoft OAuth to Target Ukraine Allies via Signal and WhatsApp (source)
- Hackers abuse OAuth 2.0 workflows to hijack Microsoft 365 accounts (source)